diff options
Diffstat (limited to 'caddyconfig/httpcaddyfile/tlsapp.go')
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 45 |
1 files changed, 30 insertions, 15 deletions
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 2ce7ea3..b31bdc5 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -16,6 +16,7 @@ package httpcaddyfile import ( "bytes" + "encoding/json" "fmt" "reflect" "sort" @@ -53,7 +54,7 @@ func (st ServerType) buildTLSApp( continue } if otherAddr.Host != "" { - hostsSharedWithHostlessKey[addr.Host] = struct{}{} + hostsSharedWithHostlessKey[otherAddr.Host] = struct{}{} } } break @@ -72,7 +73,7 @@ func (st ServerType) buildTLSApp( // get values that populate an automation policy for this block var ap *caddytls.AutomationPolicy - sblockHosts := sblock.hostsFromKeys(false, false) + sblockHosts := sblock.hostsFromKeys(false) if len(sblockHosts) == 0 { ap = catchAllAP } @@ -263,6 +264,33 @@ func (st ServerType) buildTLSApp( tlsApp.Automation.OnDemand = onDemand } + // if any hostnames appear on the same server block as a key with + // no host, they will not be used with route matchers because the + // hostless key matches all hosts, therefore, it wouldn't be + // considered for auto-HTTPS, so we need to make sure those hosts + // are manually considered for managed certificates; we also need + // to make sure that any of these names which are internal-only + // get internal certificates by default rather than ACME + var al caddytls.AutomateLoader + internalAP := &caddytls.AutomationPolicy{ + IssuerRaw: json.RawMessage(`{"module":"internal"}`), + } + for h := range hostsSharedWithHostlessKey { + al = append(al, h) + if !certmagic.SubjectQualifiesForPublicCert(h) { + internalAP.Subjects = append(internalAP.Subjects, h) + } + } + if len(al) > 0 { + tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings) + } + if len(internalAP.Subjects) > 0 { + if tlsApp.Automation == nil { + tlsApp.Automation = new(caddytls.AutomationConfig) + } + tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, internalAP) + } + // if there is a global/catch-all automation policy, ensure it goes last if catchAllAP != nil { // first, encode its issuer @@ -276,19 +304,6 @@ func (st ServerType) buildTLSApp( tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP) } - // if any hostnames appear on the same server block as a key with - // no host, they will not be used with route matchers because the - // hostless key matches all hosts, therefore, it wouldn't be - // considered for auto-HTTPS, so we need to make sure those hosts - // are manually considered for managed certificates - var al caddytls.AutomateLoader - for h := range hostsSharedWithHostlessKey { - al = append(al, h) - } - if len(al) > 0 { - tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings) - } - // do a little verification & cleanup if tlsApp.Automation != nil { // ensure automation policies don't overlap subjects (this should be |